Listen 443
<VirtualHost *:80>
  ServerName infrastructure.fedoraproject.org
  ServerAlias infrastructure.stg.fedoraproject.org
  ServerAdmin webmaster@fedoraproject.org
  TraceEnable Off

  # enable git smart http cloning.
  SetEnv GIT_PROJECT_ROOT /srv/web/infra/
  SetEnv GIT_HTTP_EXPORT_ALL
  ScriptAliasMatch \
                       "(?x)^/infra/(.*/(HEAD | \
                                    info/refs | \
                                    objects/(info/[^/]+ | \
                                    [0-9a-f]{2}/[0-9a-f]{38} | \
                                    pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
                                    git-(upload|receive)-pack))$" \
                       /usr/libexec/git-core/git-http-backend/$1

  # 
  # redirect everyone to use https
  #
  # We can't do this until virt-install can handle https 

#  RewriteEngine on
#  RewriteCond %{SERVER_PORT} !^443$
#  RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [L,R]

# robots location
Alias /robots.txt /srv/web/robots.txt.lockbox01

DocumentRoot /srv/web
<Directory /srv/web>
  Options Indexes FollowSymLinks
  AllowOverride None
  Require all granted
</Directory>
 
<Directory /srv/web/repo>
  Options Indexes FollowSymLinks
  AllowOverride None
  Require all granted
</Directory>

<Directory /srv/web/repo/rhel>
  Order deny,allow
  Require all denied
  Include "conf.d/allows"
</Directory>

<Directory /srv/web/rhel>
  Order deny,allow
  Require all denied
  Include "conf.d/allows"
</Directory>

<Directory /srv/web/pub>
  Options Indexes FollowSymLinks
  AllowOverride None
  Require all denied
  Include "conf.d//allows"
</Directory>

<Directory /srv/web/infra>
  Options Indexes FollowSymLinks
  Require all granted
  Include "conf.d//allows"
</Directory>

<Directory /srv/web/infra/bigfiles>
  Options FollowSymLinks
  Require all granted
  Include "conf.d//allows"
</Directory>

# Needed for cgit cgi
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<Directory "/usr/share/cgit">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<Directory "/usr/libexec/git-core">
    AllowOverride None
    Options None
    Require all granted
</Directory>
</VirtualHost>

<VirtualHost *:443>
  ServerName infrastructure.fedoraproject.org
  ServerAlias infrastructure.stg.fedoraproject.org
  ServerAdmin webmaster@fedoraproject.org

  # enable git smart http cloning.
  SetEnv GIT_PROJECT_ROOT /srv/web/infra/
  SetEnv GIT_HTTP_EXPORT_ALL
  ScriptAliasMatch \
                       "(?x)^/infra/(.*/(HEAD | \
                                    info/refs | \
                                    objects/(info/[^/]+ | \
                                    [0-9a-f]{2}/[0-9a-f]{38} | \
                                    pack/pack-[0-9a-f]{40}\.(pack|idx)) | \
                                    git-(upload|receive)-pack))$" \
                       /usr/libexec/git-core/git-http-backend/$1

  SSLEngine on
  SSLCertificateFile /etc/pki/tls/certs/{{ wildcard_crt_file }}
  SSLCertificateKeyFile /etc/pki/tls/private/{{ wildcard_key_file }}
  SSLCertificateChainFile /etc/pki/tls/certs/{{ wildcard_int_file }}

  Header always add Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

  SSLHonorCipherOrder On

  # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
  # If you change the protocols or cipher suites, you should probably update
  # modules/squid/files/squid.conf-el6 too, to keep it in sync.
  SSLProtocol {{ ssl_protocols }}
  SSLCipherSuite {{ ssl_ciphers }}

# robots location
Alias /robots.txt /srv/web/robots.txt.lockbox01

DocumentRoot /srv/web
<Directory /srv/web>
  Options Indexes FollowSymLinks
  AllowOverride None
  Require all granted
</Directory>
 
<Directory /srv/web/repo>
  Options Indexes FollowSymLinks
  AllowOverride None
  Require all granted
</Directory>

<Directory /srv/web/repo/rhel>
  Require all denied
  Include "conf.d/allows"
</Directory>

<Directory /srv/web/rhel>
  Require all denied
  Include "conf.d/allows"
</Directory>

<Directory /srv/web/pub>
  Options Indexes FollowSymLinks
  AllowOverride None
  Require all denied
  Include "conf.d/allows"
</Directory>

<Directory /srv/web/infra>
  Options Indexes FollowSymLinks
  Require all granted
  Include "conf.d/allows"
</Directory>

<Directory /srv/web/infra/bigfiles>
  Options FollowSymLinks
  Require all granted
  Include "conf.d/allows"
</Directory>

# Needed for cgit cgi
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<Directory "/usr/share/cgit">
    AllowOverride None
    Options None
    Require all granted
</Directory>
<Directory "/usr/libexec/git-core">
    AllowOverride None
    Options None
    Require all granted
</Directory>
</VirtualHost>
